fix #13960: False negative: no error when freeing struct member twice (regression) (danmar#7626)

ludviggunne · web-flow · commit a7f827d8bb01 · 2025-06-26T10:54:57.000+02:00
diff --git a/lib/checkleakautovar.cpp b/lib/checkleakautovar.cpp
@@ -413,8 +413,6 @@ bool CheckLeakAutoVar::checkScope(const Token * const startToken,
         // assignment..
         if (const Token* const tokAssignOp = isInit ? varTok : isAssignment(varTok)) {
 
-            if (Token::simpleMatch(tokAssignOp->astOperand1(), "."))
-                continue;
             // taking address of another variable..
             if (Token::Match(tokAssignOp, "= %var% +|;|?|%comp%")) {
                 if (varTok->tokAt(2)->varId() != varTok->varId()) {
@@ -730,8 +728,7 @@ bool CheckLeakAutoVar::checkScope(const Token * const startToken,
             VarInfo::AllocInfo allocation(af ? af->groupId : 0, VarInfo::DEALLOC, ftok);
             if (allocation.type == 0)
                 allocation.status = VarInfo::NOALLOC;
-            if (Token::simpleMatch(ftok->astParent(), "(") && Token::simpleMatch(ftok->astParent()->astOperand2(), "."))
-                continue;
+
             functionCall(ftok, openingPar, varInfo, allocation, af);
 
             tok = ftok->linkAt(1);
@@ -886,7 +883,7 @@ const Token * CheckLeakAutoVar::checkTokenInsideExpression(const Token * const t
                 while (rhs->isCast()) {
                     rhs = rhs->astOperand2() ? rhs->astOperand2() : rhs->astOperand1();
                 }
-                if (rhs->varId() == tok->varId() && isAssignment) {
+                if ((rhs->str() == "." || rhs->varId() == tok->varId()) && isAssignment) {
                     // simple assignment
                     varInfo.erase(tok->varId());
                 } else if (rhs->astParent() && rhs->str() == "(" && !mSettings->library.returnValue(rhs->astOperand1()).empty()) {
@@ -1024,7 +1021,10 @@ void CheckLeakAutoVar::functionCall(const Token *tokName, const Token *tokOpenin
             arg = arg->astOperand2() ? arg->astOperand2() : arg->astOperand1();
         const Token * const argTypeStartTok = arg;
 
-        while (Token::Match(arg, "%name% :: %name%"))
+        if (Token::simpleMatch(arg, "."))
+            arg = arg->next();
+
+        while (Token::Match(arg, "%name% .|:: %name%"))
             arg = arg->tokAt(2);
 
         if ((Token::Match(arg, "%var% [-,)] !!.") && !(arg->variable() && arg->variable()->isArray())) ||
diff --git a/test/testleakautovar.cpp b/test/testleakautovar.cpp
@@ -109,6 +109,7 @@ class TestLeakAutoVar : public TestFixture {
         TEST_CASE(doublefree16);
         TEST_CASE(doublefree17); // #8109: delete with comma operator
         TEST_CASE(doublefree18);
+        TEST_CASE(doublefree19); // #13960
 
         // exit
         TEST_CASE(exit1);
@@ -1814,6 +1815,18 @@ class TestLeakAutoVar : public TestFixture {
         ASSERT_EQUALS("", errout_str());
     }
 
+    void doublefree19() {
+        check("struct S {\n"
+              "  void *x;\n"
+              "};\n"
+              "void f(struct S *p)\n"
+              "{\n"
+              "  free(p->x);\n"
+              "  free(p->x);\n"
+              "}\n");
+        ASSERT_EQUALS("[test.c:6:3] -> [test.c:7:3]: (error) Memory pointed to by 'x' is freed twice. [doubleFree]\n", errout_str());
+    }
+
     void exit1() {
         check("void f() {\n"
               "    char *p = malloc(10);\n"
